The malware is a Windows dynamic library infected by a file virus which is able to function as a backdoor program. Attackers may use the malware to steal confidential information as well as download other malicious programs onto the infected PC.

Technical Details

Installation

Once the executable code of the infected library is launched, the virus code then gets control. The virus body is decrypted and located to the file:

Opens the following resources to check for a connection to the Internet:

google.com

mpa.one.microsoft.com

crl.microsoft.com

Uses the backdoor features. To receive commands, connects to the following servers:

htmthgurhtchwlhwklf.com

ukiixagdbdkd.com

ouljuvkvn.com

jiwucjyxjibyd.com

tiqfgpaxvmhsxtk.com

cxatodxefolgkokdqy.com

khddwukkbwhfdiufhaj.com

tfgyaoingy.com

snoknwlgcwgaafbtqkt.com

swbadolov.com

ubkfgwqslhqyy.com

vrguyjjxorlyen.com

qbsqnpyyooh.com

caytmlnlrou.com

After receiving a command, the backdoor can perform the following actions:

- download files to the infected computer and launch them for execution;

- send collected data to the intruder’s server;

- block an antivirus;

- connect to the other servers to get commands.

Features described in the "File Infection" section are executed by the code injected to the address space of the "SVCHOST.EXE" process.

File Infection

The virus infects the files with the following extensions:

exe

dll

Infecting the executable files and Windows dynamic libraries occurs by adding the virus body at the end of the last PE-section of the target file. The program entry point is modified to allow the virus to be the first one to gain control.

Removal Recommendations

Run a full scan of your computer using Ad-Aware with the updated definition database (Download Ad-Aware Free).

Do not launch the EXE files and do not reboot your computer until a full scan is complete.